@mondaydotcomorg/atp-protocol
Version:
Core protocol types and interfaces for Agent Tool Protocol
1 lines • 56.2 kB
Source Map (JSON)
{"version":3,"sources":["../src/types.ts","../src/schemas.ts","../src/validation.ts","../src/auth.ts","../src/providers.ts"],"names":["CallbackType","ToolOperation","ToolOperationType","ToolSensitivityLevel","ExecutionStatus","ExecutionErrorCode","ExecutionConfigSchema","type","properties","timeout","minimum","maximum","maxMemory","maxLLMCalls","allowedAPIs","items","allowLLMCalls","required","SearchOptionsSchema","query","minLength","apiGroups","maxResults","useEmbeddings","embeddingModel","AgentToolProtocolRequestSchema","jsonrpc","enum","id","method","params","AgentToolProtocolResponseSchema","result","error","code","message","data","MAX_CODE_SIZE","ConfigValidationError","Error","constructor","field","value","name","SecurityViolationError","violations","sanitizeInput","input","maxLength","sanitized","replace","length","substring","frameCodeExecution","userCode","cleaned","trim","executionConfigSchema","z","object","number","invalid_type_error","positive","max","optional","nonnegative","array","string","refine","val","boolean","progressCallback","function","customLLMHandler","clientServices","any","provenanceMode","securityPolicies","provenanceHints","validateExecutionConfig","config","parse","ZodError","errors","map","err","join","validateClientId","clientId","test","CredentialResolver","providers","Map","registerProvider","provider","set","resolve","authConfig","get","scheme","resolveAPIKey","resolveBearer","resolveBasic","resolveOAuth2","resolveCustom","resolveComposite","getValue","in","headers","queryParams","token","Authorization","username","usernameEnvVar","process","env","password","passwordEnvVar","credentials","Buffer","from","toString","clientIdEnvVar","clientSecret","clientSecretEnvVar","undefined","flow","fetchOAuth2Token","tokenUrl","scopes","Object","assign","headerEnvVars","headerName","envVar","entries","queryParamEnvVars","paramName","keys","credName","credConfig","injectAs","queryParamName","URLSearchParams","grant_type","client_id","client_secret","append","response","fetch","body","ok","statusText","json","access_token","MultiAuditSink","sinks","write","event","Promise","all","sink","writeBatch","events","filter","disconnect"],"mappings":";;;;;;;;UAMYA,aAAAA,EAAAA;;;;;GAAAA,oBAAAA,KAAAA,oBAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UAUAC,cAAAA,EAAAA;;GAAAA,qBAAAA,KAAAA,qBAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UA0IAC,kBAAAA,EAAAA;AACmB,EAAAA,kBAAAA,CAAA,MAAA,CAAA,GAAA,MAAA;AAEE,EAAAA,kBAAAA,CAAA,OAAA,CAAA,GAAA,OAAA;AAEW,EAAAA,kBAAAA,CAAA,aAAA,CAAA,GAAA,aAAA;GALhCA,yBAAAA,KAAAA,yBAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UAYAC,qBAAAA,EAAAA;AAC8B,EAAAA,qBAAAA,CAAA,QAAA,CAAA,GAAA,QAAA;AAEE,EAAAA,qBAAAA,CAAA,UAAA,CAAA,GAAA,UAAA;AAEI,EAAAA,qBAAAA,CAAA,WAAA,CAAA,GAAA,WAAA;GALpCA,4BAAAA,KAAAA,4BAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UAuHAC,gBAAAA,EAAAA;;;;;;;;;;;;;;GAAAA,uBAAAA,KAAAA,uBAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;UAmBAC,mBAAAA,EAAAA;;;;;;;;;;;;;;;;;;;;;GAAAA,0BAAAA,KAAAA,0BAAAA,GAAAA,EAAAA,CAAAA,CAAAA;;;AC9SL,IAAMC,qBAAAA,GAAoC;EAChDC,IAAAA,EAAM,QAAA;EACNC,UAAAA,EAAY;IACXC,OAAAA,EAAS;MAAEF,IAAAA,EAAM,QAAA;MAAUG,OAAAA,EAAS,GAAA;MAAMC,OAAAA,EAAS;AAAO,KAAA;IAC1DC,SAAAA,EAAW;MAAEL,IAAAA,EAAM,QAAA;MAAUG,OAAAA,EAAS,OAAA;MAASC,OAAAA,EAAS;AAAU,KAAA;IAClEE,WAAAA,EAAa;MAAEN,IAAAA,EAAM,QAAA;MAAUG,OAAAA,EAAS,CAAA;MAAGC,OAAAA,EAAS;AAAI,KAAA;IACxDG,WAAAA,EAAa;MAAEP,IAAAA,EAAM,OAAA;MAASQ,KAAAA,EAAO;QAAER,IAAAA,EAAM;AAAS;AAAE,KAAA;IACxDS,aAAAA,EAAe;MAAET,IAAAA,EAAM;AAAU;AAClC,GAAA;EACAU,QAAAA,EAAU;AAAC,IAAA,SAAA;AAAW,IAAA,WAAA;AAAa,IAAA,aAAA;AAAe,IAAA,aAAA;AAAe,IAAA;;AAClE;AAEO,IAAMC,mBAAAA,GAAkC;EAC9CX,IAAAA,EAAM,QAAA;EACNC,UAAAA,EAAY;IACXW,KAAAA,EAAO;MAAEZ,IAAAA,EAAM,QAAA;MAAUa,SAAAA,EAAW;AAAE,KAAA;IACtCC,SAAAA,EAAW;MAAEd,IAAAA,EAAM,OAAA;MAASQ,KAAAA,EAAO;QAAER,IAAAA,EAAM;AAAS;AAAE,KAAA;IACtDe,UAAAA,EAAY;MAAEf,IAAAA,EAAM,QAAA;MAAUG,OAAAA,EAAS,CAAA;MAAGC,OAAAA,EAAS;AAAI,KAAA;IACvDY,aAAAA,EAAe;MAAEhB,IAAAA,EAAM;AAAU,KAAA;IACjCiB,cAAAA,EAAgB;MAAEjB,IAAAA,EAAM;AAAS;AAClC,GAAA;EACAU,QAAAA,EAAU;AAAC,IAAA;;AACZ;AAEO,IAAMQ,8BAAAA,GAA6C;EACzDlB,IAAAA,EAAM,QAAA;EACNC,UAAAA,EAAY;IACXkB,OAAAA,EAAS;MAAEnB,IAAAA,EAAM,QAAA;MAAUoB,IAAAA,EAAM;AAAC,QAAA;;AAAO,KAAA;IACzCC,EAAAA,EAAI;MAAErB,IAAAA,EAAM;AAAC,QAAA,QAAA;AAAU,QAAA;;AAAU,KAAA;IACjCsB,MAAAA,EAAQ;MAAEtB,IAAAA,EAAM;AAAS,KAAA;IACzBuB,MAAAA,EAAQ;MAAEvB,IAAAA,EAAM;AAAS;AAC1B,GAAA;EACAU,QAAAA,EAAU;AAAC,IAAA,SAAA;AAAW,IAAA,IAAA;AAAM,IAAA,QAAA;AAAU,IAAA;;AACvC;AAEO,IAAMc,+BAAAA,GAA8C;EAC1DxB,IAAAA,EAAM,QAAA;EACNC,UAAAA,EAAY;IACXkB,OAAAA,EAAS;MAAEnB,IAAAA,EAAM,QAAA;MAAUoB,IAAAA,EAAM;AAAC,QAAA;;AAAO,KAAA;IACzCC,EAAAA,EAAI;MAAErB,IAAAA,EAAM;AAAC,QAAA,QAAA;AAAU,QAAA;;AAAU,KAAA;AACjCyB,IAAAA,MAAAA,EAAQ,EAAC;IACTC,KAAAA,EAAO;MACN1B,IAAAA,EAAM,QAAA;MACNC,UAAAA,EAAY;QACX0B,IAAAA,EAAM;UAAE3B,IAAAA,EAAM;AAAS,SAAA;QACvB4B,OAAAA,EAAS;UAAE5B,IAAAA,EAAM;AAAS,SAAA;AAC1B6B,QAAAA,IAAAA,EAAM;AACP,OAAA;MACAnB,QAAAA,EAAU;AAAC,QAAA,MAAA;AAAQ,QAAA;;AACpB;AACD,GAAA;EACAA,QAAAA,EAAU;AAAC,IAAA,SAAA;AAAW,IAAA;;AACvB;AC5CO,IAAMoB,aAAAA,GAAgB;AAEtB,IAAMC,qBAAAA,GAAN,cAAoCC,KAAAA,CAAAA;EAZ3C;;;;;EAaCC,WAAAA,CACCL,OAAAA,EACgBM,OACAC,KAAAA,EACf;AACD,IAAA,KAAA,CAAMP,OAAAA,CAAAA;SAHUM,KAAAA,GAAAA,KAAAA;SACAC,KAAAA,GAAAA,KAAAA;AAGhB,IAAA,IAAA,CAAKC,IAAAA,GAAO,uBAAA;AACb,EAAA;AACD;AAEO,IAAMC,sBAAAA,GAAN,cAAqCL,KAAAA,CAAAA;EAvB5C;;;;AAwBCC,EAAAA,WAAAA,CACCL,SACgBU,UAAAA,EACf;AACD,IAAA,KAAA,CAAMV,OAAAA,CAAAA;SAFUU,UAAAA,GAAAA,UAAAA;AAGhB,IAAA,IAAA,CAAKF,IAAAA,GAAO,wBAAA;AACb,EAAA;AACD;AAKO,SAASG,aAAAA,CAAcC,KAAAA,EAAeC,SAAAA,GAAYX,aAAAA,EAAa;AACrE,EAAA,IAAI,OAAOU,UAAU,QAAA,EAAU;AAC9B,IAAA,OAAO,EAAA;AACR,EAAA;AAEA,EAAA,IAAIE,SAAAA,GAAYF,KAAAA,CAAMG,OAAAA,CAAQ,oCAAA,EAAsC,EAAA,CAAA;AAEpED,EAAAA,SAAAA,GAAYA,SAAAA,CAAUC,OAAAA,CAAQ,wBAAA,EAA0B,EAAA,CAAA;AAExDD,EAAAA,SAAAA,GAAYA,SAAAA,CAAUC,OAAAA,CAAQ,UAAA,EAAY,QAAA,CAAA;AAE1C,EAAA,IAAID,SAAAA,CAAUE,SAASH,SAAAA,EAAW;AACjCC,IAAAA,SAAAA,GAAYA,SAAAA,CAAUG,SAAAA,CAAU,CAAA,EAAGJ,SAAAA,CAAAA;AACpC,EAAA;AAEA,EAAA,OAAOC,SAAAA;AACR;AAhBgBH,MAAAA,CAAAA,aAAAA,EAAAA,eAAAA,CAAAA;AAsBT,SAASO,mBAAmBC,QAAAA,EAAgB;AAClD,EAAA,MAAMC,OAAAA,GAAUT,cAAcQ,QAAAA,CAAAA;AAE9B,EAAA,OAAO;;;GAGLC,OAAAA;;EAEDC,IAAAA,EAAI;AACN;AATgBH,MAAAA,CAAAA,kBAAAA,EAAAA,oBAAAA,CAAAA;AAcT,IAAMI,qBAAAA,GAAwBC,MAAEC,MAAAA,CAAO;AAC7ClD,EAAAA,OAAAA,EAASiD,MACPE,MAAAA,CAAO;IACPC,kBAAAA,EAAoB;GACrB,CAAA,CACCC,SAAS,0BAAA,CAAA,CACTC,IAAI,GAAA,EAAQ,4CAAA,EACZC,QAAAA,EAAQ;AAEVpD,EAAAA,SAAAA,EAAW8C,MACTE,MAAAA,CAAO;IACPC,kBAAAA,EAAoB;GACrB,CAAA,CACCC,QAAAA,CAAS,4BAAA,CAAA,CACTC,GAAAA,CAAI,MAAM,IAAA,GAAO,IAAA,EAAM,+BAAA,CAAA,CACvBC,QAAAA,EAAQ;AAEVnD,EAAAA,WAAAA,EAAa6C,MACXE,MAAAA,CAAO;IACPC,kBAAAA,EAAoB;GACrB,CAAA,CACCI,YAAY,gCAAA,CAAA,CACZF,IAAI,GAAA,EAAM,gCAAA,EACVC,QAAAA,EAAQ;AAEVlD,EAAAA,WAAAA,EAAa4C,KAAAA,CACXQ,KAAAA,CACAR,KAAAA,CAAES,MAAAA,EAAM,CAAGC,MAAAA,CAAO,CAACC,GAAAA,KAAQA,GAAAA,CAAIb,IAAAA,EAAI,CAAGL,MAAAA,GAAS,CAAA,EAAG;IACjDhB,OAAAA,EAAS;GACV,CAAA,EAEA6B,QAAAA,EAAQ;AAEVhD,EAAAA,aAAAA,EAAe0C,MACbY,OAAAA,CAAQ;IACRT,kBAAAA,EAAoB;AACrB,GAAA,EACCG,QAAAA,EAAQ;EAEVO,gBAAAA,EAAkBb,KAAAA,CAAEc,QAAAA,EAAQ,CAAGR,QAAAA,EAAQ;EACvCS,gBAAAA,EAAkBf,KAAAA,CAAEc,QAAAA,EAAQ,CAAGR,QAAAA,EAAQ;EACvCU,cAAAA,EAAgBhB,KAAAA,CAAEiB,GAAAA,EAAG,CAAGX,QAAAA,EAAQ;EAChCY,cAAAA,EAAgBlB,KAAAA,CAAEiB,GAAAA,EAAG,CAAGX,QAAAA,EAAQ;AAChCa,EAAAA,gBAAAA,EAAkBnB,MAAEQ,KAAAA,CAAMR,KAAAA,CAAEiB,GAAAA,EAAG,EAAIX,QAAAA,EAAQ;AAC3Cc,EAAAA,eAAAA,EAAiBpB,MAAEQ,KAAAA,CAAMR,KAAAA,CAAES,MAAAA,EAAM,EAAIH,QAAAA;AACtC,CAAA;AAKO,SAASe,wBAAwBC,MAAAA,EAAgC;AACvE,EAAA,IAAI;AACHvB,IAAAA,qBAAAA,CAAsBwB,MAAMD,MAAAA,CAAAA;AAC7B,EAAA,CAAA,CAAA,OAAS/C,KAAAA,EAAO;AACf,IAAA,IAAIA,KAAAA,YAAiByB,MAAEwB,QAAAA,EAAU;AAChC,MAAA,MAAMC,SAASlD,KAAAA,CAAMkD,MAAAA,CAAOC,IAAI,CAACC,GAAAA,KAAQA,IAAIlD,OAAO,CAAA;AACpD,MAAA,MAAM,IAAIG,sBACT,CAAA,yBAAA,EAA4B6C,MAAAA,CAAOG,KAAK,IAAA,CAAA,CAAA,CAAA,EACxC,iBAAA,EACAN,MAAAA,CAAAA;AAEF,IAAA;AACA,IAAA,MAAM/C,KAAAA;AACP,EAAA;AACD;AAdgB8C,MAAAA,CAAAA,uBAAAA,EAAAA,yBAAAA,CAAAA;AAmBT,SAASQ,iBAAiBC,QAAAA,EAAgB;AAChD,EAAA,IAAI,OAAOA,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,IAAIlD,qBAAAA,CAAsB,2BAAA,EAA6B,UAAA,EAAYkD,QAAAA,CAAAA;AAC1E,EAAA;AAEA,EAAA,IAAIA,QAAAA,CAAShC,IAAAA,EAAI,CAAGL,MAAAA,KAAW,CAAA,EAAG;AACjC,IAAA,MAAM,IAAIb,qBAAAA,CAAsB,0BAAA,EAA4B,UAAA,EAAYkD,QAAAA,CAAAA;AACzE,EAAA;AAEA,EAAA,IAAIA,QAAAA,CAASrC,SAAS,GAAA,EAAK;AAC1B,IAAA,MAAM,IAAIb,qBAAAA,CAAsB,uCAAA,EAAyC,UAAA,EAAYkD,QAAAA,CAAAA;AACtF,EAAA;AAEA,EAAA,IAAI,CAAC,kBAAA,CAAmBC,IAAAA,CAAKD,QAAAA,CAAAA,EAAW;AACvC,IAAA,MAAM,IAAIlD,qBAAAA,CACT,4EAAA,EACA,UAAA,EACAkD,QAAAA,CAAAA;AAEF,EAAA;AACD;AApBgBD,MAAAA,CAAAA,gBAAAA,EAAAA,kBAAAA,CAAAA;;;ACyBT,IAAMG,qBAAN,MAAMA;EAtKb;;;AAuKSC,EAAAA,SAAAA,uBAAiDC,GAAAA,EAAAA;;;;AAKzDC,EAAAA,gBAAAA,CAAiBC,QAAAA,EAAoC;AACpD,IAAA,IAAA,CAAKH,SAAAA,CAAUI,GAAAA,CAAID,QAAAA,CAASnD,IAAAA,EAAMmD,QAAAA,CAAAA;AACnC,EAAA;;;;AAKA,EAAA,MAAME,QAAQC,UAAAA,EAA8C;AAC3D,IAAA,IAAIA,WAAWH,QAAAA,EAAU;AACxB,MAAA,MAAMA,QAAAA,GAAW,IAAA,CAAKH,SAAAA,CAAUO,GAAAA,CAAID,WAAWH,QAAQ,CAAA;AACvD,MAAA,IAAI,CAACA,QAAAA,EAAU;AACd,QAAA,MAAM,IAAIvD,KAAAA,CAAM,CAAA,qBAAA,EAAwB0D,UAAAA,CAAWH,QAAQ,CAAA,WAAA,CAAa,CAAA;AACzE,MAAA;AACA,MAAA,OAAO,MAAMA,SAASE,OAAAA,EAAO;AAC9B,IAAA;AAEA,IAAA,QAAQC,WAAWE,MAAAA;MAClB,KAAK,QAAA;AACJ,QAAA,OAAO,IAAA,CAAKC,cAAcH,UAAAA,CAAAA;MAC3B,KAAK,QAAA;AACJ,QAAA,OAAO,IAAA,CAAKI,cAAcJ,UAAAA,CAAAA;MAC3B,KAAK,OAAA;AACJ,QAAA,OAAO,IAAA,CAAKK,aAAaL,UAAAA,CAAAA;MAC1B,KAAK,QAAA;AACJ,QAAA,OAAO,IAAA,CAAKM,cAAcN,UAAAA,CAAAA;MAC3B,KAAK,QAAA;AACJ,QAAA,OAAO,IAAA,CAAKO,cAAcP,UAAAA,CAAAA;MAC3B,KAAK,WAAA;AACJ,QAAA,OAAO,IAAA,CAAKQ,iBAAiBR,UAAAA,CAAAA;AAC9B,MAAA;AACC,QAAA,MAAM,IAAI1D,KAAAA,CAAM,CAAA,yBAAA,EAA6B0D,UAAAA,CAAmBE,MAAM,CAAA,CAAE,CAAA;AAC1E;AACD,EAAA;AAEQC,EAAAA,aAAAA,CAAcpB,MAAAA,EAAuC;AAC5D,IAAA,MAAMtC,KAAAA,GAAQ,IAAA,CAAKgE,QAAAA,CAAS1B,MAAAA,CAAAA;AAC5B,IAAA,IAAI,CAACtC,KAAAA,EAAO;AACX,MAAA,MAAM,IAAIH,KAAAA,CAAM,CAAA,0BAAA,EAA6ByC,MAAAA,CAAOrC,IAAI,CAAA,CAAA,CAAG,CAAA;AAC5D,IAAA;AAEA,IAAA,IAAIqC,MAAAA,CAAO2B,OAAO,QAAA,EAAU;AAC3B,MAAA,OAAO;QAAEC,OAAAA,EAAS;UAAE,CAAC5B,MAAAA,CAAOrC,IAAI,GAAGD;AAAM;AAAE,OAAA;IAC5C,CAAA,MAAO;AACN,MAAA,OAAO;QAAEmE,WAAAA,EAAa;UAAE,CAAC7B,MAAAA,CAAOrC,IAAI,GAAGD;AAAM;AAAE,OAAA;AAChD,IAAA;AACD,EAAA;AAEQ2D,EAAAA,aAAAA,CAAcrB,MAAAA,EAAuC;AAC5D,IAAA,MAAM8B,KAAAA,GAAQ,IAAA,CAAKJ,QAAAA,CAAS1B,MAAAA,CAAAA;AAC5B,IAAA,IAAI,CAAC8B,KAAAA,EAAO;AACX,MAAA,MAAM,IAAIvE,MAAM,2BAAA,CAAA;AACjB,IAAA;AAEA,IAAA,OAAO;MACNqE,OAAAA,EAAS;AACRG,QAAAA,aAAAA,EAAe,UAAUD,KAAAA,CAAAA;AAC1B;AACD,KAAA;AACD,EAAA;AAEQR,EAAAA,YAAAA,CAAatB,MAAAA,EAAsC;AAC1D,IAAA,MAAMgC,QAAAA,GAAWhC,OAAOiC,cAAAA,GAAiBC,OAAAA,CAAQC,IAAInC,MAAAA,CAAOiC,cAAc,IAAIjC,MAAAA,CAAOgC,QAAAA;AACrF,IAAA,MAAMI,QAAAA,GAAWpC,MAAAA,CAAOqC,cAAAA,GACrBH,OAAAA,CAAQC,GAAAA,CAAInC,OAAOqC,cAAc,CAAA,GACjC,IAAA,CAAKX,QAAAA,CAAS1B,MAAAA,CAAAA;AAEjB,IAAA,IAAI,CAACgC,QAAAA,IAAY,CAACI,QAAAA,EAAU;AAC3B,MAAA,MAAM,IAAI7E,MAAM,+CAAA,CAAA;AACjB,IAAA;AAEA,IAAA,MAAM+E,WAAAA,GAAcC,MAAAA,CAAOC,IAAAA,CAAK,CAAA,EAAGR,QAAAA,IAAYI,QAAAA,CAAAA,CAAU,CAAA,CAAEK,QAAAA,CAAS,QAAA,CAAA;AACpE,IAAA,OAAO;MACNb,OAAAA,EAAS;AACRG,QAAAA,aAAAA,EAAe,SAASO,WAAAA,CAAAA;AACzB;AACD,KAAA;AACD,EAAA;AAEA,EAAA,MAAcf,cAAcvB,MAAAA,EAAgD;AAC3E,IAAA,MAAMQ,QAAAA,GAAWR,OAAO0C,cAAAA,GAAiBR,OAAAA,CAAQC,IAAInC,MAAAA,CAAO0C,cAAc,IAAI1C,MAAAA,CAAOQ,QAAAA;AACrF,IAAA,MAAMmC,eAAe3C,MAAAA,CAAO4C,kBAAAA,GACzBV,QAAQC,GAAAA,CAAInC,MAAAA,CAAO4C,kBAAkB,CAAA,GACrCC,MAAAA;AAEH,IAAA,IAAI,CAACrC,QAAAA,IAAY,CAACmC,YAAAA,EAAc;AAC/B,MAAA,MAAM,IAAIpF,MAAM,wCAAA,CAAA;AACjB,IAAA;AAEA,IAAA,IAAIyC,MAAAA,CAAO8C,SAAS,mBAAA,EAAqB;AACxC,MAAA,MAAMhB,MAAAA,GAAQ,MAAM,IAAA,CAAKiB,gBAAAA,CACxB/C,OAAOgD,QAAAA,EACPxC,QAAAA,EACAmC,YAAAA,EACA3C,MAAAA,CAAOiD,MAAM,CAAA;AAEd,MAAA,OAAO;QACNrB,OAAAA,EAAS;AACRG,UAAAA,aAAAA,EAAe,UAAUD,MAAAA,CAAAA;AAC1B;AACD,OAAA;AACD,IAAA;AAEA,IAAA,MAAMA,KAAAA,GAAQ,IAAA,CAAKJ,QAAAA,CAAS1B,MAAAA,CAAAA;AAC5B,IAAA,IAAI8B,KAAAA,EAAO;AACV,MAAA,OAAO;QACNF,OAAAA,EAAS;AACRG,UAAAA,aAAAA,EAAe,UAAUD,KAAAA,CAAAA;AAC1B;AACD,OAAA;AACD,IAAA;AAEA,IAAA,MAAM,IAAIvE,KAAAA,CAAM,CAAA,aAAA,EAAgByC,MAAAA,CAAO8C,IAAI,CAAA,6BAAA,CAA+B,CAAA;AAC3E,EAAA;AAEQtB,EAAAA,aAAAA,CAAcxB,MAAAA,EAAuC;AAC5D,IAAA,MAAM4B,UAAkC,EAAC;AACzC,IAAA,MAAMC,cAAsC,EAAC;AAE7CqB,IAAAA,MAAAA,CAAOC,MAAAA,CAAOvB,OAAAA,EAAS5B,MAAAA,CAAO4B,OAAO,CAAA;AAErC,IAAA,IAAI5B,OAAOoD,aAAAA,EAAe;AACzB,MAAA,KAAA,MAAW,CAACC,YAAYC,MAAAA,CAAAA,IAAWJ,OAAOK,OAAAA,CAAQvD,MAAAA,CAAOoD,aAAa,CAAA,EAAG;AACxE,QAAA,MAAM1F,KAAAA,GAAQwE,OAAAA,CAAQC,GAAAA,CAAImB,MAAAA,CAAAA;AAC1B,QAAA,IAAI5F,KAAAA,EAAO;AACVkE,UAAAA,OAAAA,CAAQyB,UAAAA,CAAAA,GAAc3F,KAAAA;AACvB,QAAA;AACD,MAAA;AACD,IAAA;AAEA,IAAA,IAAIsC,OAAO6B,WAAAA,EAAa;AACvBqB,MAAAA,MAAAA,CAAOC,MAAAA,CAAOtB,WAAAA,EAAa7B,MAAAA,CAAO6B,WAAW,CAAA;AAC9C,IAAA;AAEA,IAAA,IAAI7B,OAAOwD,iBAAAA,EAAmB;AAC7B,MAAA,KAAA,MAAW,CAACC,WAAWH,MAAAA,CAAAA,IAAWJ,OAAOK,OAAAA,CAAQvD,MAAAA,CAAOwD,iBAAiB,CAAA,EAAG;AAC3E,QAAA,MAAM9F,KAAAA,GAAQwE,OAAAA,CAAQC,GAAAA,CAAImB,MAAAA,CAAAA;AAC1B,QAAA,IAAI5F,KAAAA,EAAO;AACVmE,UAAAA,WAAAA,CAAY4B,SAAAA,CAAAA,GAAa/F,KAAAA;AAC1B,QAAA;AACD,MAAA;AACD,IAAA;AAEA,IAAA,OAAO;AACNkE,MAAAA,OAAAA,EAASsB,OAAOQ,IAAAA,CAAK9B,OAAAA,CAAAA,CAASzD,MAAAA,GAAS,IAAIyD,OAAAA,GAAUiB,MAAAA;AACrDhB,MAAAA,WAAAA,EAAaqB,OAAOQ,IAAAA,CAAK7B,WAAAA,CAAAA,CAAa1D,MAAAA,GAAS,IAAI0D,WAAAA,GAAcgB;AAClE,KAAA;AACD,EAAA;AAEQpB,EAAAA,gBAAAA,CAAiBzB,MAAAA,EAA0C;AAClE,IAAA,MAAM4B,UAAkC,EAAC;AACzC,IAAA,MAAMC,cAAsC,EAAC;AAE7C,IAAA,KAAA,MAAW,CAAC8B,UAAUC,UAAAA,CAAAA,IAAeV,OAAOK,OAAAA,CAAQvD,MAAAA,CAAOsC,WAAW,CAAA,EAAG;AACxE,MAAA,MAAM5E,KAAAA,GAAQkG,WAAWN,MAAAA,GAASpB,OAAAA,CAAQC,IAAIyB,UAAAA,CAAWN,MAAM,IAAIM,UAAAA,CAAWlG,KAAAA;AAE9E,MAAA,IAAI,CAACA,KAAAA,EAAO;AACX,QAAA,IAAIkG,UAAAA,CAAW3H,aAAa,KAAA,EAAO;AAClC,UAAA,MAAM,IAAIsB,KAAAA,CAAM,CAAA,qBAAA,EAAwBoG,QAAAA,CAAAA,cAAAA,CAAwB,CAAA;AACjE,QAAA;AACA,QAAA;AACD,MAAA;AAEA,MAAA,MAAME,QAAAA,GAAW7D,OAAO6D,QAAAA,IAAY,QAAA;AAEpC,MAAA,IAAA,CAAKA,QAAAA,KAAa,QAAA,IAAYA,QAAAA,KAAa,MAAA,KAAWD,WAAWP,UAAAA,EAAY;AAC5EzB,QAAAA,OAAAA,CAAQgC,UAAAA,CAAWP,UAAU,CAAA,GAAI3F,KAAAA;AAClC,MAAA;AAEA,MAAA,IAAA,CAAKmG,QAAAA,KAAa,OAAA,IAAWA,QAAAA,KAAa,MAAA,KAAWD,WAAWE,cAAAA,EAAgB;AAC/EjC,QAAAA,WAAAA,CAAY+B,UAAAA,CAAWE,cAAc,CAAA,GAAIpG,KAAAA;AAC1C,MAAA;AAEA,MAAA,IAAI,CAACkG,UAAAA,CAAWP,UAAAA,IAAc,CAACO,WAAWE,cAAAA,EAAgB;AACzD,QAAA,IAAID,QAAAA,KAAa,OAAA,IAAWA,QAAAA,KAAa,MAAA,EAAQ;AAChDhC,UAAAA,WAAAA,CAAY8B,QAAAA,CAAAA,GAAYjG,KAAAA;QACzB,CAAA,MAAO;AACNkE,UAAAA,OAAAA,CAAQ,CAAA,EAAA,EAAK+B,QAAAA,CAAAA,CAAU,CAAA,GAAIjG,KAAAA;AAC5B,QAAA;AACD,MAAA;AACD,IAAA;AAEA,IAAA,OAAO;AACNkE,MAAAA,OAAAA,EAASsB,OAAOQ,IAAAA,CAAK9B,OAAAA,CAAAA,CAASzD,MAAAA,GAAS,IAAIyD,OAAAA,GAAUiB,MAAAA;AACrDhB,MAAAA,WAAAA,EAAaqB,OAAOQ,IAAAA,CAAK7B,WAAAA,CAAAA,CAAa1D,MAAAA,GAAS,IAAI0D,WAAAA,GAAcgB;AAClE,KAAA;AACD,EAAA;;;;AAKQnB,EAAAA,QAAAA,CAAS1B,MAAAA,EAA4C;AAC5D,IAAA,IAAIA,OAAOsD,MAAAA,EAAQ;AAClB,MAAA,OAAOpB,OAAAA,CAAQC,GAAAA,CAAInC,MAAAA,CAAOsD,MAAM,CAAA;AACjC,IAAA;AACA,IAAA,OAAOtD,MAAAA,CAAOtC,KAAAA;AACf,EAAA;;;;AAKA,EAAA,MAAcqF,gBAAAA,CACbC,QAAAA,EACAxC,QAAAA,EACAmC,YAAAA,EACAM,MAAAA,EACkB;AAClB,IAAA,MAAMnG,MAAAA,GAAS,IAAIiH,eAAAA,CAAgB;MAClCC,UAAAA,EAAY,oBAAA;MACZC,SAAAA,EAAWzD,QAAAA;MACX0D,aAAAA,EAAevB;KAChB,CAAA;AAEA,IAAA,IAAIM,MAAAA,IAAUA,MAAAA,CAAO9E,MAAAA,GAAS,CAAA,EAAG;AAChCrB,MAAAA,MAAAA,CAAOqH,MAAAA,CAAO,OAAA,EAASlB,MAAAA,CAAO3C,IAAAA,CAAK,GAAA,CAAA,CAAA;AACpC,IAAA;AAEA,IAAA,MAAM8D,QAAAA,GAAW,MAAMC,KAAAA,CAAMrB,QAAAA,EAAU;MACtCnG,MAAAA,EAAQ,MAAA;MACR+E,OAAAA,EAAS;QACR,cAAA,EAAgB;AACjB,OAAA;AACA0C,MAAAA,IAAAA,EAAMxH,OAAO2F,QAAAA;KACd,CAAA;AAEA,IAAA,IAAI,CAAC2B,SAASG,EAAAA,EAAI;AACjB,MAAA,MAAM,IAAIhH,KAAAA,CAAM,CAAA,2BAAA,EAA8B6G,QAAAA,CAASI,UAAU,CAAA,CAAE,CAAA;AACpE,IAAA;AAEA,IAAA,MAAMpH,IAAAA,GAAQ,MAAMgH,QAAAA,CAASK,IAAAA,EAAI;AACjC,IAAA,OAAOrH,IAAAA,CAAKsH,YAAAA;AACb,EAAA;AACD;;;AC/MO,IAAMC,iBAAN,MAAMA;EApMb;;;EAqMChH,IAAAA,GAAO,OAAA;AACCiH,EAAAA,KAAAA;AAERpH,EAAAA,WAAAA,CAAYoH,KAAAA,EAAoB;AAC/B,IAAA,IAAA,CAAKA,KAAAA,GAAQA,KAAAA;AACd,EAAA;AAEA,EAAA,MAAMC,MAAMC,KAAAA,EAAkC;AAC7C,IAAA,MAAMC,OAAAA,CAAQC,GAAAA,CAAI,IAAA,CAAKJ,KAAAA,CAAMxE,GAAAA,CAAI,CAAC6E,IAAAA,KAASA,IAAAA,CAAKJ,KAAAA,CAAMC,KAAAA,CAAAA,CAAAA,CAAAA;AACvD,EAAA;AAEA,EAAA,MAAMI,WAAWC,MAAAA,EAAqC;AACrD,IAAA,MAAMJ,OAAAA,CAAQC,GAAAA,CAAI,IAAA,CAAKJ,KAAAA,CAAMxE,GAAAA,CAAI,CAAC6E,IAAAA,KAASA,IAAAA,CAAKC,UAAAA,CAAWC,MAAAA,CAAAA,CAAAA,CAAAA;AAC5D,EAAA;AAEA,EAAA,MAAMhJ,MAAMiJ,MAAAA,EAA4C;AACvD,IAAA,KAAA,MAAWH,IAAAA,IAAQ,KAAKL,KAAAA,EAAO;AAC9B,MAAA,IAAIK,KAAK9I,KAAAA,EAAO;AACf,QAAA,OAAO,MAAM8I,IAAAA,CAAK9I,KAAAA,CAAMiJ,MAAAA,CAAAA;AACzB,MAAA;AACD,IAAA;AACA,IAAA,MAAM,IAAI7H,MAAM,mCAAA,CAAA;AACjB,EAAA;AAEA,EAAA,MAAM8H,UAAAA,GAA4B;AACjC,IAAA,MAAMN,OAAAA,CAAQC,GAAAA,CACb,IAAA,CAAKJ,KAAAA,CAAMxE,IAAI,CAAC6E,IAAAA,KAAUA,IAAAA,CAAKI,UAAAA,GAAaJ,KAAKI,UAAAA,EAAU,GAAKN,OAAAA,CAAQ/D,OAAAA,EAAO,CAAA,CAAA;AAEjF,EAAA;AACD","file":"index.cjs","sourcesContent":["import type { ProvenanceMode, SecurityPolicy } from '@mondaydotcomorg/atp-provenance';\nexport { ProvenanceMode, type SecurityPolicy } from '@mondaydotcomorg/atp-provenance';\n\n/**\n * Callback types that can pause execution\n */\nexport enum CallbackType {\n\tLLM = 'llm',\n\tAPPROVAL = 'approval',\n\tEMBEDDING = 'embedding',\n\tTOOL = 'tool',\n}\n\n/**\n * Tool callback operations\n */\nexport enum ToolOperation {\n\tCALL = 'call',\n}\n\nexport interface AgentToolProtocolRequest {\n\tjsonrpc: '2.0';\n\tid: string | number;\n\tmethod: string;\n\tparams: Record<string, unknown>;\n}\n\nexport interface AgentToolProtocolResponse {\n\tjsonrpc: '2.0';\n\tid: string | number;\n\tresult?: unknown;\n\terror?: {\n\t\tcode: number;\n\t\tmessage: string;\n\t\tdata?: unknown;\n\t};\n}\n\nexport interface AgentToolProtocolNotification {\n\tjsonrpc: '2.0';\n\tmethod: string;\n\tparams: Record<string, unknown>;\n}\n\n/**\n * Client-provided service availability\n */\nexport interface ClientServices {\n\t/** Whether client provides LLM implementation */\n\thasLLM: boolean;\n\t/** Whether client provides approval handler */\n\thasApproval: boolean;\n\t/** Whether client provides embedding model */\n\thasEmbedding: boolean;\n\t/** Whether client provides custom tools */\n\thasTools: boolean;\n\t/** Names of client-provided tools (for discovery) */\n\ttoolNames?: string[];\n}\n\n/**\n * Client-provided LLM handler\n */\nexport interface ClientLLMHandler {\n\tcall: (\n\t\tprompt: string,\n\t\toptions?: {\n\t\t\tcontext?: Record<string, unknown>;\n\t\t\tmodel?: string;\n\t\t\ttemperature?: number;\n\t\t\tsystemPrompt?: string;\n\t\t}\n\t) => Promise<string>;\n\textract?: <T>(\n\t\tprompt: string,\n\t\tschema: Record<string, unknown>,\n\t\toptions?: {\n\t\t\tcontext?: Record<string, unknown>;\n\t\t}\n\t) => Promise<T>;\n\tclassify?: (\n\t\ttext: string,\n\t\tcategories: string[],\n\t\toptions?: {\n\t\t\tcontext?: Record<string, unknown>;\n\t\t}\n\t) => Promise<string>;\n}\n\n/**\n * Client-provided approval handler\n */\nexport interface ClientApprovalHandler {\n\trequest: (\n\t\tmessage: string,\n\t\tcontext?: Record<string, unknown>\n\t) => Promise<{\n\t\tapproved: boolean;\n\t\tresponse?: unknown;\n\t\ttimestamp: number;\n\t}>;\n}\n\n/**\n * Client-provided embedding handler\n */\nexport interface ClientEmbeddingHandler {\n\tembed: (text: string) => Promise<number[]>;\n\tsimilarity?: (text1: string, text2: string) => Promise<number>;\n}\n\n/**\n * Client-provided tool handler\n * Function that executes on the client side when a client tool is invoked\n */\nexport interface ClientToolHandler {\n\t(input: unknown): Promise<unknown>;\n}\n\n/**\n * Client tool definition (metadata sent to server)\n * The actual handler function remains on the client side\n */\nexport interface ClientToolDefinition {\n\t/** Tool name (unique per client session) */\n\tname: string;\n\t/** API namespace (e.g., 'playwright', 'browser'). Defaults to 'client' if not specified */\n\tnamespace?: string;\n\t/** Human-readable description of what the tool does */\n\tdescription: string;\n\t/** JSON Schema for tool input validation */\n\tinputSchema: JSONSchema;\n\t/** JSON Schema for tool output (optional, for documentation) */\n\toutputSchema?: JSONSchema;\n\t/** Tool metadata for security and risk management */\n\tmetadata?: ToolMetadata;\n\t/** Whether this tool supports parallel execution with other tools */\n\tsupportsConcurrency?: boolean;\n\t/** Keywords for search/discovery (optional) */\n\tkeywords?: string[];\n}\n\n/**\n * Client tool with handler (used client-side only)\n * Extends ClientToolDefinition to include the actual handler function\n */\nexport interface ClientTool extends ClientToolDefinition {\n\t/** Handler function that executes on client side */\n\thandler: ClientToolHandler;\n}\n\n/**\n * Tool operation type classification\n */\nexport enum ToolOperationType {\n\t/** Safe read-only operations */\n\tREAD = 'read',\n\t/** Operations that modify data */\n\tWRITE = 'write',\n\t/** Operations that delete or destroy data */\n\tDESTRUCTIVE = 'destructive',\n}\n\n/**\n * Tool sensitivity level\n */\nexport enum ToolSensitivityLevel {\n\t/** Public data, no sensitivity concerns */\n\tPUBLIC = 'public',\n\t/** Internal data, requires authentication */\n\tINTERNAL = 'internal',\n\t/** Sensitive data (PII, financial data, etc.) */\n\tSENSITIVE = 'sensitive',\n}\n\n/**\n * Client-side tool execution rules\n * Allows clients to control which tools can be executed and under what conditions\n */\nexport interface ClientToolRules {\n\t/** Block all tools of specific operation types */\n\tblockOperationTypes?: ToolOperationType[];\n\t/** Block all tools with specific sensitivity levels */\n\tblockSensitivityLevels?: ToolSensitivityLevel[];\n\t/** Require approval for specific operation types */\n\trequireApprovalForOperationTypes?: ToolOperationType[];\n\t/** Require approval for specific sensitivity levels */\n\trequireApprovalForSensitivityLevels?: ToolSensitivityLevel[];\n\t/** Block specific tools by name (e.g., ['deleteDatabase', 'dropTable']) */\n\tblockTools?: string[];\n\t/** Allow only specific tools by name (whitelist mode) */\n\tallowOnlyTools?: string[];\n\t/** Block entire API groups (e.g., ['admin', 'system']) */\n\tblockApiGroups?: string[];\n\t/** Allow only specific API groups (whitelist mode) */\n\tallowOnlyApiGroups?: string[];\n}\n\n/**\n * Tool/API metadata for security and risk management\n *\n * What can clients do with these annotations?\n *\n * 1. **Block Execution**:\n * - Block all WRITE operations: blockOperationTypes: [ToolOperationType.WRITE]\n * - Block all DESTRUCTIVE operations: blockOperationTypes: [ToolOperationType.DESTRUCTIVE]\n * - Block SENSITIVE data access: blockSensitivityLevels: [ToolSensitivityLevel.SENSITIVE]\n *\n * 2. **Require Approval**:\n * - Require approval for WRITE: requireApprovalForOperationTypes: [ToolOperationType.WRITE]\n * - Require approval for DESTRUCTIVE: requireApprovalForOperationTypes: [ToolOperationType.DESTRUCTIVE]\n * - Require approval for SENSITIVE: requireApprovalForSensitivityLevels: [ToolSensitivityLevel.SENSITIVE]\n *\n * 3. **Whitelist/Blacklist**:\n * - Block specific tools: blockTools: ['deleteDatabase', 'dropTable']\n * - Allow only safe tools: allowOnlyTools: ['getUser', 'listItems']\n * - Block admin APIs: blockApiGroups: ['admin', 'system']\n *\n * 4. **Audit & Logging**:\n * - Log all DESTRUCTIVE operations\n * - Track access to SENSITIVE data\n * - Monitor WRITE operations\n *\n * Granularity levels:\n * - Operation Type: READ, WRITE, DESTRUCTIVE (coarse-grained)\n * - Sensitivity Level: PUBLIC, INTERNAL, SENSITIVE (data classification)\n * - Tool Name: Specific function names (fine-grained)\n * - API Group: Entire namespaces (medium-grained)\n */\nexport interface ToolMetadata {\n\t/** Operation type classification */\n\toperationType?: ToolOperationType;\n\t/** Sensitivity level of data handled */\n\tsensitivityLevel?: ToolSensitivityLevel;\n\t/** Require explicit approval before execution (server-side enforcement) */\n\trequiresApproval?: boolean;\n\t/** Category for grouping/filtering (e.g., 'database', 'user-management') */\n\tcategory?: string;\n\t/** Additional tags for classification */\n\ttags?: string[];\n\t/** Human-readable description of potential impact */\n\timpactDescription?: string;\n\t/**\n\t * Required OAuth scopes to use this tool\n\t * Used for scope-based filtering when user credentials have limited permissions\n\t * @example ['repo', 'read:user'] for GitHub\n\t * @example ['https://www.googleapis.com/auth/calendar'] for Google\n\t */\n\trequiredScopes?: string[];\n\t/**\n\t * Generic permissions required (for non-OAuth providers)\n\t * @example ['admin', 'write:users']\n\t */\n\trequiredPermissions?: string[];\n}\n\n/**\n * Client service providers\n */\nexport interface ClientServiceProviders {\n\tllm?: ClientLLMHandler;\n\tapproval?: ClientApprovalHandler;\n\tembedding?: ClientEmbeddingHandler;\n\t/** Client-provided tools that execute locally */\n\ttools?: ClientTool[];\n}\n\nexport interface ExecutionConfig {\n\ttimeout: number;\n\tmaxMemory: number;\n\tmaxLLMCalls: number;\n\tallowedAPIs: string[];\n\tallowLLMCalls: boolean;\n\tprogressCallback?: (message: string, fraction: number) => void;\n\tcustomLLMHandler?: (prompt: string, options?: any) => Promise<string>;\n\tclientServices?: ClientServices;\n\tprovenanceMode?: ProvenanceMode;\n\tsecurityPolicies?: SecurityPolicy[];\n\tprovenanceHints?: string[];\n\trequestContext?: Record<string, unknown>;\n}\n\n/**\n * Execution status codes for fine-grained error reporting\n */\nexport enum ExecutionStatus {\n\tCOMPLETED = 'completed',\n\tFAILED = 'failed',\n\tTIMEOUT = 'timeout',\n\tCANCELLED = 'cancelled',\n\tPAUSED = 'paused',\n\tMEMORY_EXCEEDED = 'memory_exceeded',\n\tLLM_CALLS_EXCEEDED = 'llm_calls_exceeded',\n\tSECURITY_VIOLATION = 'security_violation',\n\tVALIDATION_FAILED = 'validation_failed',\n\tLOOP_DETECTED = 'loop_detected',\n\tRATE_LIMITED = 'rate_limited',\n\tNETWORK_ERROR = 'network_error',\n\tPARSE_ERROR = 'parse_error',\n}\n\n/**\n * Execution error codes for categorizing failures\n */\nexport enum ExecutionErrorCode {\n\tUNKNOWN_ERROR = 'UNKNOWN_ERROR',\n\tEXECUTION_FAILED = 'EXECUTION_FAILED',\n\tTIMEOUT_ERROR = 'TIMEOUT_ERROR',\n\n\tMEMORY_LIMIT_EXCEEDED = 'MEMORY_LIMIT_EXCEEDED',\n\tLLM_CALL_LIMIT_EXCEEDED = 'LLM_CALL_LIMIT_EXCEEDED',\n\tHTTP_CALL_LIMIT_EXCEEDED = 'HTTP_CALL_LIMIT_EXCEEDED',\n\n\tSECURITY_VIOLATION = 'SECURITY_VIOLATION',\n\tVALIDATION_FAILED = 'VALIDATION_FAILED',\n\tFORBIDDEN_OPERATION = 'FORBIDDEN_OPERATION',\n\n\tPARSE_ERROR = 'PARSE_ERROR',\n\tSYNTAX_ERROR = 'SYNTAX_ERROR',\n\tTYPE_ERROR = 'TYPE_ERROR',\n\tREFERENCE_ERROR = 'REFERENCE_ERROR',\n\n\tINFINITE_LOOP_DETECTED = 'INFINITE_LOOP_DETECTED',\n\tLOOP_TIMEOUT = 'LOOP_TIMEOUT',\n\n\tNETWORK_ERROR = 'NETWORK_ERROR',\n\tHTTP_ERROR = 'HTTP_ERROR',\n\tDNS_ERROR = 'DNS_ERROR',\n\n\tRATE_LIMIT_EXCEEDED = 'RATE_LIMIT_EXCEEDED',\n\tCONCURRENT_LIMIT_EXCEEDED = 'CONCURRENT_LIMIT_EXCEEDED',\n}\n\nexport interface ExecutionResult {\n\texecutionId: string;\n\tstatus: ExecutionStatus;\n\tresult?: unknown;\n\terror?: {\n\t\tmessage: string;\n\t\tcode?: ExecutionErrorCode;\n\t\tstack?: string;\n\t\tline?: number;\n\t\tcontext?: Record<string, unknown>;\n\t\tretryable?: boolean;\n\t\tsuggestion?: string;\n\t};\n\tstats: {\n\t\tduration: number;\n\t\tmemoryUsed: number;\n\t\tllmCallsCount: number;\n\t\tapprovalCallsCount: number;\n\t\tstatementsExecuted?: number;\n\t\tstatementsCached?: number;\n\t};\n\tneedsCallback?: {\n\t\ttype: CallbackType;\n\t\toperation: string;\n\t\tpayload: Record<string, unknown>;\n\t};\n\tneedsCallbacks?: BatchCallbackRequest[];\n\tcallbackHistory?: Array<{\n\t\ttype: CallbackType;\n\t\toperation: string;\n\t\tpayload: Record<string, unknown>;\n\t\tresult?: unknown;\n\t\ttimestamp: number;\n\t\tsequenceNumber: number;\n\t}>;\n\ttransformedCode?: string;\n\tprovenanceSnapshot?: unknown;\n\tprovenanceTokens?: Array<{\n\t\tpath: string;\n\t\ttoken: string;\n\t}>;\n}\n\n/**\n * Batch callback request for parallel execution\n */\nexport interface BatchCallbackRequest {\n\t/** Unique callback ID */\n\tid: string;\n\t/** Callback type */\n\ttype: CallbackType;\n\t/** Operation name */\n\toperation: string;\n\t/** Operation payload */\n\tpayload: Record<string, unknown>;\n}\n\n/**\n * Batch callback result from client\n */\nexport interface BatchCallbackResult {\n\t/** Callback ID (matches BatchCallbackRequest.id) */\n\tid: string;\n\t/** Callback result */\n\tresult: unknown;\n}\n\nexport interface SearchOptions {\n\tquery: string;\n\tapiGroups?: string[];\n\tmaxResults?: number;\n\tuseEmbeddings?: boolean;\n\tembeddingModel?: string;\n}\n\nexport interface SearchResult {\n\tapiGroup: string;\n\tfunctionName: string;\n\tdescription: string;\n\tsignature: string;\n\texample?: string;\n\trelevanceScore: number;\n}\n\nexport interface ExploreRequest {\n\tpath: string;\n}\n\nexport interface ExploreDirectoryResult {\n\ttype: 'directory';\n\tpath: string;\n\titems: Array<{ name: string; type: 'directory' | 'function' }>;\n}\n\nexport interface ExploreFunctionResult {\n\ttype: 'function';\n\tpath: string;\n\tname: string;\n\tdescription: string;\n\tdefinition: string;\n\tgroup: string;\n}\n\nexport type ExploreResult = ExploreDirectoryResult | ExploreFunctionResult;\n\nexport interface ValidationResult {\n\tvalid: boolean;\n\terrors?: ValidationError[];\n\twarnings?: ValidationError[];\n\tsecurityIssues?: SecurityIssue[];\n}\n\nexport interface ValidationError {\n\tline: number;\n\tmessage: string;\n\tseverity: 'error' | 'warning';\n}\n\nexport interface SecurityIssue {\n\tline: number;\n\tissue: string;\n\trisk: 'low' | 'medium' | 'high';\n}\n\nexport interface APISource {\n\ttype: 'mcp' | 'openapi' | 'custom';\n\tname: string;\n\turl?: string;\n\tspec?: unknown;\n}\n\nexport interface ServerConfig {\n\tapiGroups: APIGroupConfig[];\n\tsecurity: SecurityConfig;\n\texecution: ExecutionLimits;\n\tsearch: SearchConfig;\n\tlogging: LoggingConfig;\n}\n\nexport interface APIGroupConfig {\n\tname: string;\n\ttype: 'mcp' | 'openapi' | 'graphql' | 'custom';\n\turl?: string;\n\tspec?: unknown;\n\tfunctions?: CustomFunctionDef[];\n\t/** Authentication configuration for this API group */\n\tauth?: import('./auth.js').AuthConfig;\n}\n\nexport interface SecurityConfig {\n\tallowedOrigins: string[];\n\tapiKeyRequired: boolean;\n\trateLimits: {\n\t\trequestsPerMinute: number;\n\t\texecutionsPerHour: number;\n\t};\n}\n\nexport interface ExecutionLimits {\n\tdefaultTimeout: number;\n\tmaxTimeout: number;\n\tdefaultMemoryLimit: number;\n\tmaxMemoryLimit: number;\n\tdefaultLLMCallLimit: number;\n\tmaxLLMCallLimit: number;\n}\n\nexport interface SearchConfig {\n\tenableEmbeddings: boolean;\n\tembeddingProvider?: 'openai' | 'cohere' | 'custom';\n\tcustomSearcher?: (query: string) => Promise<SearchResult[]>;\n}\n\nexport interface LoggingConfig {\n\tlevel: 'debug' | 'info' | 'warn' | 'error';\n\tdestination: 'console' | 'file' | 'remote';\n\tauditEnabled: boolean;\n}\n\n/** Context passed to function handlers during execution */\nexport interface FunctionHandlerContext {\n\tmetadata?: ToolMetadata;\n\trequestContext?: Record<string, unknown>;\n}\n\nexport interface CustomFunctionDef {\n\tname: string;\n\tdescription: string;\n\tinputSchema: JSONSchema;\n\toutputSchema?: JSONSchema;\n\thandler: (params: unknown, context?: FunctionHandlerContext) => Promise<unknown>;\n\tkeywords?: string[];\n\tmetadata?: ToolMetadata; // NEW: Tool metadata for security\n\trequiredScopes?: string[]; // OAuth scopes required to use this function\n\tauth?: {\n\t\tsource?: 'server' | 'user';\n\t\toauthProvider?: string;\n\t};\n}\n\nexport interface JSONSchema {\n\ttype: string;\n\tproperties?: Record<string, unknown>;\n\trequired?: string[];\n\t[key: string]: unknown;\n}\n\nexport interface ClientConfig {\n\tserverUrl: string;\n\tapiKey: string;\n\ttimeout?: number;\n\tllmProvider: 'anthropic' | 'openai' | 'custom';\n\tllmModel?: string;\n\ttemperature?: number;\n\tdefaultExecutionConfig?: Partial<ExecutionConfig>;\n\tsearchPreferences?: {\n\t\tuseEmbeddings?: boolean;\n\t\tembeddingModel?: string;\n\t\tmaxResults?: number;\n\t};\n}\n\nexport interface RuntimeMethodParam {\n\tname: string;\n\ttype: string;\n\tdescription: string;\n\toptional: boolean;\n}\n\nexport interface RuntimeMethod {\n\tname: string;\n\tdescription: string;\n\tparams: RuntimeMethodParam[];\n\treturns: string;\n}\n\nexport interface RuntimeAPI {\n\tname: string;\n\tdescription: string;\n\tmethods: RuntimeMethod[];\n}\n\nexport interface RuntimeDefinitions {\n\tversion: string;\n\truntimeAPIs: RuntimeAPI[];\n\tdescription: string;\n\tusage: { example: string };\n}\n","import type { JSONSchema } from './types.js';\n\nexport const ExecutionConfigSchema: JSONSchema = {\n\ttype: 'object',\n\tproperties: {\n\t\ttimeout: { type: 'number', minimum: 1000, maximum: 300000 },\n\t\tmaxMemory: { type: 'number', minimum: 1048576, maximum: 536870912 },\n\t\tmaxLLMCalls: { type: 'number', minimum: 0, maximum: 100 },\n\t\tallowedAPIs: { type: 'array', items: { type: 'string' } },\n\t\tallowLLMCalls: { type: 'boolean' },\n\t},\n\trequired: ['timeout', 'maxMemory', 'maxLLMCalls', 'allowedAPIs', 'allowLLMCalls'],\n};\n\nexport const SearchOptionsSchema: JSONSchema = {\n\ttype: 'object',\n\tproperties: {\n\t\tquery: { type: 'string', minLength: 1 },\n\t\tapiGroups: { type: 'array', items: { type: 'string' } },\n\t\tmaxResults: { type: 'number', minimum: 1, maximum: 100 },\n\t\tuseEmbeddings: { type: 'boolean' },\n\t\tembeddingModel: { type: 'string' },\n\t},\n\trequired: ['query'],\n};\n\nexport const AgentToolProtocolRequestSchema: JSONSchema = {\n\ttype: 'object',\n\tproperties: {\n\t\tjsonrpc: { type: 'string', enum: ['2.0'] },\n\t\tid: { type: ['string', 'number'] },\n\t\tmethod: { type: 'string' },\n\t\tparams: { type: 'object' },\n\t},\n\trequired: ['jsonrpc', 'id', 'method', 'params'],\n};\n\nexport const AgentToolProtocolResponseSchema: JSONSchema = {\n\ttype: 'object',\n\tproperties: {\n\t\tjsonrpc: { type: 'string', enum: ['2.0'] },\n\t\tid: { type: ['string', 'number'] },\n\t\tresult: {},\n\t\terror: {\n\t\t\ttype: 'object',\n\t\t\tproperties: {\n\t\t\t\tcode: { type: 'number' },\n\t\t\t\tmessage: { type: 'string' },\n\t\t\t\tdata: {},\n\t\t\t},\n\t\t\trequired: ['code', 'message'],\n\t\t},\n\t},\n\trequired: ['jsonrpc', 'id'],\n};\n","/**\n * Input validation utilities for ExecutionConfig and other types\n */\n\nimport { z } from 'zod';\nimport type { ExecutionConfig } from './types.js';\n\n/**\n * Maximum allowed code size (1MB)\n */\nexport const MAX_CODE_SIZE = 1000000;\n\nexport class ConfigValidationError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic readonly field: string,\n\t\tpublic readonly value: unknown\n\t) {\n\t\tsuper(message);\n\t\tthis.name = 'ConfigValidationError';\n\t}\n}\n\nexport class SecurityViolationError extends Error {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic readonly violations: string[]\n\t) {\n\t\tsuper(message);\n\t\tthis.name = 'SecurityViolationError';\n\t}\n}\n\n/**\n * Sanitizes input string by removing control characters and normalizing whitespace\n */\nexport function sanitizeInput(input: string, maxLength = MAX_CODE_SIZE): string {\n\tif (typeof input !== 'string') {\n\t\treturn '';\n\t}\n\n\tlet sanitized = input.replace(/[\\x00-\\x08\\x0B-\\x0C\\x0E-\\x1F\\x7F]/g, '');\n\n\tsanitized = sanitized.replace(/[\\u200B-\\u200D\\uFEFF]/g, '');\n\n\tsanitized = sanitized.replace(/\\n{10,}/g, '\\n\\n\\n');\n\n\tif (sanitized.length > maxLength) {\n\t\tsanitized = sanitized.substring(0, maxLength);\n\t}\n\n\treturn sanitized;\n}\n\n/**\n * Frames user code in a secure execution context to prevent injection attacks\n * Similar to SQL parameterized queries - treats user code as data within a safe boundary\n */\nexport function frameCodeExecution(userCode: string): string {\n\tconst cleaned = sanitizeInput(userCode);\n\n\treturn `\n(async function __user_code_context__() {\n\t\"use strict\";\n\t${cleaned}\n})();\n`.trim();\n}\n\n/**\n * Zod schema for ExecutionConfig validation\n */\nexport const executionConfigSchema = z.object({\n\ttimeout: z\n\t\t.number({\n\t\t\tinvalid_type_error: 'timeout must be a number',\n\t\t})\n\t\t.positive('timeout must be positive')\n\t\t.max(300000, 'timeout cannot exceed 300000ms (5 minutes)')\n\t\t.optional(),\n\n\tmaxMemory: z\n\t\t.number({\n\t\t\tinvalid_type_error: 'maxMemory must be a number',\n\t\t})\n\t\t.positive('maxMemory must be positive')\n\t\t.max(512 * 1024 * 1024, 'maxMemory cannot exceed 512MB')\n\t\t.optional(),\n\n\tmaxLLMCalls: z\n\t\t.number({\n\t\t\tinvalid_type_error: 'maxLLMCalls must be a number',\n\t\t})\n\t\t.nonnegative('maxLLMCalls cannot be negative')\n\t\t.max(1000, 'maxLLMCalls cannot exceed 1000')\n\t\t.optional(),\n\n\tallowedAPIs: z\n\t\t.array(\n\t\t\tz.string().refine((val) => val.trim().length > 0, {\n\t\t\t\tmessage: 'allowedAPIs must contain non-empty strings',\n\t\t\t})\n\t\t)\n\t\t.optional(),\n\n\tallowLLMCalls: z\n\t\t.boolean({\n\t\t\tinvalid_type_error: 'allowLLMCalls must be a boolean',\n\t\t})\n\t\t.optional(),\n\n\tprogressCallback: z.function().optional(),\n\tcustomLLMHandler: z.function().optional(),\n\tclientServices: z.any().optional(),\n\tprovenanceMode: z.any().optional(),\n\tsecurityPolicies: z.array(z.any()).optional(),\n\tprovenanceHints: z.array(z.string()).optional(),\n});\n\n/**\n * Validates ExecutionConfig parameters using Zod\n */\nexport function validateExecutionConfig(config: Partial<ExecutionConfig>): void {\n\ttry {\n\t\texecutionConfigSchema.parse(config);\n\t} catch (error) {\n\t\tif (error instanceof z.ZodError) {\n\t\t\tconst errors = error.errors.map((err) => err.message);\n\t\t\tthrow new ConfigValidationError(\n\t\t\t\t`Invalid ExecutionConfig: ${errors.join(', ')}`,\n\t\t\t\t'ExecutionConfig',\n\t\t\t\tconfig\n\t\t\t);\n\t\t}\n\t\tthrow error;\n\t}\n}\n\n/**\n * Validates client ID format\n */\nexport function validateClientId(clientId: string): void {\n\tif (typeof clientId !== 'string') {\n\t\tthrow new ConfigValidationError('clientId must be a string', 'clientId', clientId);\n\t}\n\n\tif (clientId.trim().length === 0) {\n\t\tthrow new ConfigValidationError('clientId cannot be empty', 'clientId', clientId);\n\t}\n\n\tif (clientId.length > 256) {\n\t\tthrow new ConfigValidationError('clientId cannot exceed 256 characters', 'clientId', clientId);\n\t}\n\n\tif (!/^[a-zA-Z0-9_-]+$/.test(clientId)) {\n\t\tthrow new ConfigValidationError(\n\t\t\t'clientId can only contain alphanumeric characters, dashes, and underscores',\n\t\t\t'clientId',\n\t\t\tclientId\n\t\t);\n\t}\n}\n","/**\n * Authentication and credential management types for Agent Tool Protocol\n */\n\n/**\n * Supported authentication schemes\n */\nexport type AuthScheme = 'apiKey' | 'bearer' | 'basic' | 'oauth2' | 'custom' | 'composite';\n\n/**\n * Base authentication configuration\n */\nexport interface BaseAuthConfig {\n\tscheme: AuthScheme;\n\t/** Environment variable name to read credentials from */\n\tenvVar?: string;\n\t/** Direct credential value (not recommended for production) */\n\tvalue?: string;\n\t/**\n\t * Credential source: 'server' for server-level env vars (default), 'user' for user-scoped OAuth\n\t */\n\tsource?: 'server' | 'user';\n\t/**\n\t * OAuth provider name for user-scoped credentials (e.g., 'github', 'google')\n\t * Required when source='user'. Used to look up user's OAuth token from AuthProvider.\n\t * Note: This is different from the 'provider' field which is for runtime credential providers.\n\t */\n\toauthProvider?: string;\n\t/** Runtime credential provider function name */\n\tprovider?: string;\n}\n\n/**\n * API Key authentication (in header or query param)\n */\nexport interface APIKeyAuthConfig extends BaseAuthConfig {\n\tscheme: 'apiKey';\n\t/** Where to send the API key */\n\tin: 'header' | 'query';\n\t/** Parameter/header name */\n\tname: string;\n}\n\n/**\n * Bearer token authentication\n */\nexport interface BearerAuthConfig extends BaseAuthConfig {\n\tscheme: 'bearer';\n\t/** Optional bearer format (e.g., 'JWT') */\n\tbearerFormat?: string;\n}\n\n/**\n * HTTP Basic authentication\n */\nexport interface BasicAuthConfig extends BaseAuthConfig {\n\tscheme: 'basic';\n\t/** Username (can use envVar for dynamic value) */\n\tusername?: string;\n\t/** Username environment variable */\n\tusernameEnvVar?: string;\n\t/** Password environment variable */\n\tpasswordEnvVar?: string;\n}\n\n/**\n * OAuth2 authentication with automatic token refresh\n */\nexport interface OAuth2AuthConfig extends BaseAuthConfig {\n\tscheme: 'oauth2';\n\t/** OAuth2 flow type */\n\tflow: 'clientCredentials' | 'authorizationCode' | 'implicit' | 'password';\n\t/** Token endpoint URL */\n\ttokenUrl: string;\n\t/** Authorization endpoint (for authorizationCode/implicit) */\n\tauthorizationUrl?: string;\n\t/** Client ID */\n\tclientId?: string;\n\t/** Client ID environment variable */\n\tclientIdEnvVar?: string;\n\t/** Client secret environment variable */\n\tclientSecretEnvVar?: string;\n\t/** Scopes required */\n\tscopes?: string[];\n\t/** Refresh token environment variable (for token refresh) */\n\trefreshTokenEnvVar?: string;\n}\n\n/**\n * Custom authentication with arbitrary headers\n */\nexport interface CustomAuthConfig extends BaseAuthConfig {\n\tscheme: 'custom';\n\t/** Custom headers to inject */\n\theaders: Record<string, string>;\n\t/** Environment variables to use for header values */\n\theaderEnvVars?: Record<string, string>;\n\t/** Query parameters to inject */\n\tqueryParams?: Record<string, string>;\n\t/** Environment variables to use for query parameter values */\n\tqueryParamEnvVars?: Record<string, string>;\n}\n\n/**\n * Composite authentication - combines multiple auth mechanisms\n * Useful for APIs that require multiple credentials (e.g., projectId + apiKey + secret)\n */\nexport interface CompositeAuthConfig extends BaseAuthConfig {\n\tscheme: 'composite';\n\t/**\n\t * Multiple credentials to combine\n\t * Example: { projectId: { envVar: 'PROJECT_ID' }, apiKey: { envVar: 'API_KEY' }, secret: { envVar: 'API_SECRET' } }\n\t */\n\tcredentials: Record<string, CredentialConfig>;\n\t/** How to inject credentials: 'header', 'query', or 'both' */\n\tinjectAs?: 'header' | 'query' | 'both';\n}\n\n/**\n * Individual credential configuration for composite auth\n */\nexport interface CredentialConfig {\n\t/** Environment variable to read from */\n\tenvVar?: string;\n\t/** Direct value (not recommended) */\n\tvalue?: string;\n\t/** Header name if injecting as header */\n\theaderName?: string;\n\t/** Query param name if injecting as query */\n\tqueryParamName?: string;\n\t/** Whether this credential is required */\n\trequired?: boolean;\n}\n\n/**\n * Union type of all auth configurations\n */\nexport type AuthConfig =\n\t| APIKeyAuthConfig\n\t| BearerAuthConfig\n\t| BasicAuthConfig\n\t| OAuth2AuthConfig\n\t| CustomAuthConfig\n\t| CompositeAuthConfig;\n\n/**\n * Runtime credential provider\n * Allows dynamic credential resolution at runtime\n */\nexport interface CredentialProvider {\n\tname: string;\n\t/** Resolves credentials dynamically */\n\tresolve: () => Promise<Credentials> | Credentials;\n}\n\n/**\n * Resolved credentials ready to be injected into requests\n */\nexport interface Credentials {\n\theaders?: Record<string, string>;\n\tqueryParams?: Record<string, string>;\n}\n\n/**\n * Credential resolver - resolves auth config to actual credentials\n */\nexport class CredentialResolver {\n\tprivate providers: Map<string, CredentialProvider> = new Map();\n\n\t/**\n\t * Registers a runtime credential provider\n\t */\n\tregisterProvider(provider: CredentialProvider): void {\n\t\tthis.providers.set(provider.name, provider);\n\t}\n\n\t/**\n\t * Resolves auth configuration to credentials\n\t */\n\tasync resolve(authConfig: AuthConfig): Promise<Credentials> {\n\t\tif (authConfig.provider) {\n\t\t\tconst provider = this.providers.get(authConfig.provider);\n\t\t\tif (!provider) {\n\t\t\t\tthrow new Error(`Credential provider '${authConfig.provider}' not found`);\n\t\t\t}\n\t\t\treturn await provider.resolve();\n\t\t}\n\n\t\tswitch (authConfig.scheme) {\n\t\t\tcase 'apiKey':\n\t\t\t\treturn this.resolveAPIKey(authConfig);\n\t\t\tcase 'bearer':\n\t\t\t\treturn this.resolveBearer(authConfig);\n\t\t\tcase 'basic':\n\t\t\t\treturn this.resolveBasic(authConfig);\n\t\t\tcase 'oauth2':\n\t\t\t\treturn this.resolveOAuth2(authConfig);\n\t\t\tcase 'custom':\n\t\t\t\treturn this.resolveCustom(authConfig);\n\t\t\tcase 'composite':\n\t\t\t\treturn this.resolveComposite(authConfig);\n\t\t\tdefault:\n\t\t\t\tthrow new Error(`Unsupported auth scheme: ${(authConfig as any).scheme}`);\n\t\t}\n\t}\n\n\tprivate resolveAPIKey(config: APIKeyAuthConfig): Credentials {\n\t\tconst value = this.getValue(config);\n\t\tif (!value) {\n\t\t\tthrow new Error(`API key not provided for '${config.name}'`);\n\t\t}\n\n\t\tif (config.in === 'header') {\n\t\t\treturn { headers: { [config.name]: value } };\n\t\t} else {\n\t\t\treturn { queryParams: { [config.name]: value } };\n\t\t}\n\t}\n\n\tprivate resolveBearer(config: BearerAuthConfig): Credentials {\n\t\tconst token = this.getValue(config);\n\t\tif (!token) {\n\t\t\tthrow new Error('Bearer token not provided');\n\t\t}\n\n\t\treturn {\n\t\t\theaders: {\n\t\t\t\tAuthorization: `Bearer ${token}`,\n\t\t\t},\n\t\t};\n\t}\n\n\tprivate resolveBasic(config: BasicAuthConfig): Credentials {\n\t\tconst username = config.usernameEnvVar ? process.env[config.usernameEnvVar] : config.username;\n\t\tconst password = config.passwordEnvVar\n\t\t\t? process.env[config.passwordEnvVar]\n\t\t\t: this.getValue(config);\n\n\t\tif (!username || !password) {\n\t\t\tthrow new Error('Basic auth username and password not provided');\n\t\t}\n\n\t\tconst credentials = Buffer.from(`${username}:${password}`).toString('base64');\n\t\treturn {\n\t\t\theaders: {\n\t\t\t\tAuthorization: `Basic ${credentials}`,\n\t\t\t},\n\t\t};\n\t}\n\n\tprivate async resolveOAuth2(config: OAuth2AuthConfig): Promise<Credentials> {\n\t\tconst clientId = config.clientIdEnvVar ? process.env[config.clientIdEnvVar] : config.clientId;\n\t\tconst clientSecret = config.clientSecretEnvVar\n\t\t\t? process.env[config.clientSecretEnvVar]\n\t\t\t: undefined;\n\n\t\tif (!clientId || !clientSecret) {\n\t\t\tthrow new Error('OAuth2 client credentials not provided');\n\t\t}\n\n\t\tif (config.flow === 'clientCredentials') {\n\t\t\tconst token = await this.fetchOAuth2Token(\n\t\t\t\tconfig.tokenUrl,\n\t\t\t\tclientId,\n\t\t\t\tclientSecret,\n\t\t\t\tconfig.scopes\n\t\t\t);\n\t\t\treturn {\n\t\t\t\theaders: {\n\t\t\t\t\tAuthorization: `Bearer ${token}`,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tconst token = this.getValue(config);\n\t\tif (token) {\n\t\t\treturn {\n\t\t\t\theaders: {\n\t\t\t\t\tAuthorization: `Bearer ${token}`,\n\t\t\t\t},\n\t\t\t};\n\t\t}\n\n\t\tthrow new Error(`OAuth2 flow '${config.flow}' requires manual token setup`);\n\t}\n\n\tprivate resolveCustom(config: CustomAuthConfig): Credentials {\n\t\tconst headers: Record<string, string> = {};\n\t\tconst queryParams: Record<string, string> = {};\n\n\t\tObject.assign(headers, config.headers);\n\n\t\tif (config.headerEnvVars) {\n\t\t\tfor (const [headerName, envVar] of Object.entries(config.headerEnvVars)) {\n\t\t\t\tconst value = process.env[envVar];\n\t\t\t\tif (value) {\n\t\t\t\t\theaders[headerName] = value;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (config.queryParams) {\n\t\t\tObject.assign(queryParams, config.queryParams);\n\t\t}\n\n\t\tif (config.queryParamEnvVars) {\n\t\t\tfor (const [paramName, envVar] of Object.entries(config.queryParamEnvVars)) {\n\t\t\t\tconst value = process.env[envVar];\n\t\t\t\tif (value) {\n\t\t\t\t\tqueryParams[paramName] = value;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\theaders: Object.keys(headers).length > 0 ? headers : undefined,\n\t\t\tqueryParams: Object.keys(queryParams).length > 0 ? queryParams : undefined,\n\t\t};\n\t}\n\n\tprivate resolveComposite(config: CompositeAuthConfig): Credentials {\n\t\tconst headers: Record<string, string> = {};\n\t\tconst queryParams: Record<string, string> = {};\n\n\t\tfor (const [credName, credConfig] of Object.entries(config.credentials)) {\n\t\t\tconst value = credConfig.envVar ? process.env[credConfig.envVar] : credConfig.value;\n\n\t\t\tif (!value) {\n\t\t\t\tif (credConfig.required !== false) {\n\t\t\t\t\tthrow new Error(`Required credential '${credName}' not provided`);\n\t\t\t\t}\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t\tconst injectAs = config.injectAs || 'header';\n\n\t\t\tif ((injectAs === 'header' || injectAs === 'both') && credConfig.headerName) {\n\t\t\t\theaders[credConfig.headerName] = value;\n\t\t\t}\n\n\t\t\tif ((injectAs === 'query' || injectAs === 'both') && credConfig.queryParamName) {\n\t\t\t\tqueryParams[credConfig.queryParamName] = value;\n\t\t\t}\n\n\t\t\tif (!credConfig.headerName && !credConfig.queryParamName) {\n\t\t\t\tif (injectAs === 'query' || injectAs === 'both') {\n\t\t\t\t\tqueryParams[credName] = value;\n\t\t\t\t} else {\n\t\t\t\t\theaders[`X-${credName}`] = value;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\theaders: Object.keys(headers).length > 0 ? headers : undefined,\n\t\t\tqueryParams: Object.keys(queryParams).length > 0 ? queryParams : undefined,\n\t\t};\n\t}\n\n\t/**\n\t * Gets credential value from config (env var or direct value)\n\t */\n\tprivate getValue(config: BaseAuthConfig): string | undefined {\n\t\tif (config.envVar) {\n\t\t\treturn process.env[config.envVar];\n\t\t}\n\t\treturn config.value;\n\t}\n\n\t/**\n\t * Fetches OAuth2 token using client credentials flow\n\t */\n\tprivate async fetchOAuth2Token(\n\t\ttokenUrl: string,\n\t\tclientId: string,\n\t\tclientSecret: string,\n\t\tscopes?: string[]\n\t): Promise<string> {\n\t\tconst params = new URLSearchParams({\n\t\t\tgrant_type: 'client_credentials',\n\t\t\tclient_id: clientId,\n\t\t\tclient_secret: clientSecret,\n\t\t});\n\n\t\tif (scopes && scopes.length > 0) {\n\t\t\tparams.append('scope', scopes.join(' '));\n\t\t}\n\n\t\tconst response = await fetch(tokenUrl, {\n\t\t\tmethod: 'POST',\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-www-form-urlencoded',\n\t\t\t},\n\t\t\tbody: params.toString(),\n\t\t});\n\n\t\tif (!response.ok) {\n\t\t\tthrow new Error(`OAuth2 token fetch failed: ${response.statusText}`);\n\t\t}\n\n\t\tconst data = (await response.json()) as { access_token: string };\n\t\treturn data.access_token;\n\t}\n}\n","/**\n * Provider interfaces for